Effective February 1, 2018, there are new PCI DSS requirements that could have a significant impact on your PCI compliance. If you haven’t started working to meet these new requirements, you should make plans to speak with your auditor about how to start implementing these changes.
The nine new PCI DSS requirements will be considered best practice until February 1st. These requirements are:
New PCI DSS Requirements for Everyone
Requirement 6.4.6 – Change management implementation and documentation
- Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
- The determination of what constitutes a significant change is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. (Found in 11.2.3 guidance)
Requirement 8.3.1 – Multi-factor authentication
- Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
- Multi-factor authentication will be required even when coming from a trusted network. This will be required for all non-console administrative access.
New PCI DSS Requirements for Service Providers Only
Requirement 3.5.1 – Maintain documentation of cryptographic architecture
- Maintain a documented description of the cryptographic architecture that includes:
- Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
- Description of the key usage for each key
- Inventory of any HSMs and other SCDs used for key management
Requirement 10.8 – Implement a process for responding to failures of any critical security controls
- Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
- Physical access controls
- Logical access controls
- Audit logging mechanisms
- Segmentation controls (if used)
Requirement 10.8.1 – Implement a process for responding to failures of any critical security controls
- Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
- Restoring security functions
- Identifying and documenting the duration (date and time start to end) of the security failure
- Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
- Identifying and addressing any security issues that arose during the failure
- Performing a risk assessment to determine whether further actions are required as a result of the security failure
- Implementing controls to prevent cause of failure from reoccurring
- Resuming monitoring of security controls
Requirement 126.96.36.199 – Test segmentation control every six months
- If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
Requirement 12.11 – Management review of policies and procedures every six months
- Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
Requirement 12.11.1 – Document six-month management review
- Maintain documentation of quarterly review process to include:
- Documenting results of the reviews
- Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program
If you have any questions with how these changes will affect your compliance or need additional help with implementation, contact us today. Feel free to check out our on-demand webinar that goes in depth on the new requirements.